Sampler and the GDPR

The GDPR (General Data Protection Regulation) is a significant update to European Union privacy legislation, replacing the 1995 Data Protection Directive, enhancing individual privacy protections and placing new requirements on businesses collecting and handling data.

Sampler is fully committed to GDPR compliance in advance of the May 25, 2018 deadline. This page provides a summary of our compliance activities for customers, partners, and consumers.

Compliance Roadmap

Sampler began its GDPR-compliance activities in December 2017, a full 6 months before the deadline, to ensure enough time was given for a thorough compliance review and implementation process. Here’s a summary of where we’re at today:

1. Fully assess the areas of our product and processes impacted by GDPR, including review by outside counsel – COMPLETE
2. Designate a Data Protection Officer – COMPLETE
3. Recording of data processing including the categories of data subjects of personal data collected, recipients of personal data such as Sampler suppliers and legal basis for processing – COMPLETE
4. Develop a strategy and set of requirements to bring our product into GDPR compliance – COMPLETE
5. Implement and test the product changes specified in those requirements – COMPLETE
6. Develop a strategy and set of requirements to bring our internal processes into GDPR compliance, including the implementation of a complaint breach response and breach notification plan – COMPLETE
7. Implement the process changes specified in those requirements – COMPLETE
8. Update our Terms of Service and Privacy Policy to comply with GDPR – COMPLETE
9. Communicate our compliance to customers prior to the GDPR effective date – COMPLETE

Product and Process Changes

The product and process changes we have identified for GDPR compliance are:

1. The ability for consumers to access, rectify, download and delete all profile information. This will be implemented as a self-serve function within the consumer account portal, providing complete control to consumers over their data.
2. More explicit notifications on collection and use of data within the Sampler account registration process
3. More explicit notifications on collection and use of data (including cookies) within the program application itself
4. Enhancements to the remarketing opt-in process to ensure all opt-ins collected are explicit
5. Platform security updates & breach protection enhancements
6. The publication of an updated internal data security policy addressing the detection, investigation and reporting of data breaches to the appropriate GDPR Supervisory Authorities

Based on our internal assessment and review by outside counsel, we believe these changes will fully address our GDPR obligations and give our customers and partners the information they need to fulfill their own compliance obligations.

Frequently Asked Questions

Where is Sampler hosted and how will you address data export from the EU?

GDPR allows cross border data transfers without further authorization to countries recognized as possessing adequate personal data protections, such as Canada, and to U.S. companies certified under the EU-US Privacy Shield framework.

Sampler is a Canadian company hosted at Amazon Web Services US-East (N. Virginia), and Amazon is a Privacy Shield-certified company. Accordingly, the transfer of data between our hosting facility and EU countries is GDPR compliant. More information about Amazon’s compliance can be found here.

Is Sampler a Data Controller or a Data Processor?

Under the GDPR, a Data Controller is an entity that determines the purposes, conditions and means of the processing of personal data. The Data Processor is an entity that processes personal data on behalf of the Data Controller. Sampler embodies both roles in the operation of our Sampling programs.

The consumer has a single Sampler account across all of the Sampler programs they participate in with our customers and partners. Sampler determines the policies and procedures to use and protect this data. Consequently, it is the Data Controller for this account.

Consumers may also opt-in to share information from their Sampler account with our customer and partners for remarketing purposes. The customer or partner determine the uses and protection of  this data and is its Data Controller, and Sampler is the Data Processor facilitating the data transfer.

How long is personal data retained?

The GDPR does not set any fixed data retention period. Article 5(e) of the regulation simply requires that personal data be kept for no longer than is necessary for the purposes for which it is processed.

Because we maintain a single Sampler account for consumers, which they may use in any program we power, the necessary retention period is not limited to any specific program’s availability window. Rather, we will be providing consumers themselves the ability to access, rectify, download and delete all profile information at any time within their Sampler account portal. Further, consumers will be promoted to review their profile information annually.